xref: /linux/crypto/sha512.c (revision f09fc24dd9a5ec989dfdde7090624924ede6ddc7)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512
4  *
5  * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
6  * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
7  * Copyright (c) 2003 Kyle McMartin <kyle@debian.org>
8  * Copyright 2025 Google LLC
9  */
10 #include <crypto/internal/hash.h>
11 #include <crypto/sha2.h>
12 #include <linux/kernel.h>
13 #include <linux/module.h>
14 
15 /*
16  * Export and import functions.  crypto_shash wants a particular format that
17  * matches that used by some legacy drivers.  It currently is the same as the
18  * library SHA context, except the value in bytecount_lo must be block-aligned
19  * and the remainder must be stored in an extra u8 appended to the struct.
20  */
21 
22 #define SHA512_SHASH_STATE_SIZE 209
23 static_assert(offsetof(struct __sha512_ctx, state) == 0);
24 static_assert(offsetof(struct __sha512_ctx, bytecount_lo) == 64);
25 static_assert(offsetof(struct __sha512_ctx, bytecount_hi) == 72);
26 static_assert(offsetof(struct __sha512_ctx, buf) == 80);
27 static_assert(sizeof(struct __sha512_ctx) + 1 == SHA512_SHASH_STATE_SIZE);
28 
29 static int __crypto_sha512_export(const struct __sha512_ctx *ctx0, void *out)
30 {
31 	struct __sha512_ctx ctx = *ctx0;
32 	unsigned int partial;
33 	u8 *p = out;
34 
35 	partial = ctx.bytecount_lo % SHA512_BLOCK_SIZE;
36 	ctx.bytecount_lo -= partial;
37 	memcpy(p, &ctx, sizeof(ctx));
38 	p += sizeof(ctx);
39 	*p = partial;
40 	return 0;
41 }
42 
43 static int __crypto_sha512_import(struct __sha512_ctx *ctx, const void *in)
44 {
45 	const u8 *p = in;
46 
47 	memcpy(ctx, p, sizeof(*ctx));
48 	p += sizeof(*ctx);
49 	ctx->bytecount_lo += *p;
50 	return 0;
51 }
52 
53 /* SHA-384 */
54 
55 const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE] = {
56 	0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38,
57 	0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a,
58 	0x21, 0xfd, 0xb7, 0x11, 0x14, 0xbe, 0x07, 0x43,
59 	0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda,
60 	0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, 0xfb,
61 	0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b
62 };
63 EXPORT_SYMBOL_GPL(sha384_zero_message_hash);
64 
65 #define SHA384_CTX(desc) ((struct sha384_ctx *)shash_desc_ctx(desc))
66 
67 static int crypto_sha384_init(struct shash_desc *desc)
68 {
69 	sha384_init(SHA384_CTX(desc));
70 	return 0;
71 }
72 
73 static int crypto_sha384_update(struct shash_desc *desc,
74 				const u8 *data, unsigned int len)
75 {
76 	sha384_update(SHA384_CTX(desc), data, len);
77 	return 0;
78 }
79 
80 static int crypto_sha384_final(struct shash_desc *desc, u8 *out)
81 {
82 	sha384_final(SHA384_CTX(desc), out);
83 	return 0;
84 }
85 
86 static int crypto_sha384_digest(struct shash_desc *desc,
87 				const u8 *data, unsigned int len, u8 *out)
88 {
89 	sha384(data, len, out);
90 	return 0;
91 }
92 
93 static int crypto_sha384_export(struct shash_desc *desc, void *out)
94 {
95 	return __crypto_sha512_export(&SHA384_CTX(desc)->ctx, out);
96 }
97 
98 static int crypto_sha384_import(struct shash_desc *desc, const void *in)
99 {
100 	return __crypto_sha512_import(&SHA384_CTX(desc)->ctx, in);
101 }
102 
103 /* SHA-512 */
104 
105 const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE] = {
106 	0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd,
107 	0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07,
108 	0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, 0x15, 0xdc,
109 	0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce,
110 	0x47, 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0,
111 	0xff, 0x83, 0x18, 0xd2, 0x87, 0x7e, 0xec, 0x2f,
112 	0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, 0x81,
113 	0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e
114 };
115 EXPORT_SYMBOL_GPL(sha512_zero_message_hash);
116 
117 #define SHA512_CTX(desc) ((struct sha512_ctx *)shash_desc_ctx(desc))
118 
119 static int crypto_sha512_init(struct shash_desc *desc)
120 {
121 	sha512_init(SHA512_CTX(desc));
122 	return 0;
123 }
124 
125 static int crypto_sha512_update(struct shash_desc *desc,
126 				const u8 *data, unsigned int len)
127 {
128 	sha512_update(SHA512_CTX(desc), data, len);
129 	return 0;
130 }
131 
132 static int crypto_sha512_final(struct shash_desc *desc, u8 *out)
133 {
134 	sha512_final(SHA512_CTX(desc), out);
135 	return 0;
136 }
137 
138 static int crypto_sha512_digest(struct shash_desc *desc,
139 				const u8 *data, unsigned int len, u8 *out)
140 {
141 	sha512(data, len, out);
142 	return 0;
143 }
144 
145 static int crypto_sha512_export(struct shash_desc *desc, void *out)
146 {
147 	return __crypto_sha512_export(&SHA512_CTX(desc)->ctx, out);
148 }
149 
150 static int crypto_sha512_import(struct shash_desc *desc, const void *in)
151 {
152 	return __crypto_sha512_import(&SHA512_CTX(desc)->ctx, in);
153 }
154 
155 /* HMAC-SHA384 */
156 
157 #define HMAC_SHA384_KEY(tfm) ((struct hmac_sha384_key *)crypto_shash_ctx(tfm))
158 #define HMAC_SHA384_CTX(desc) ((struct hmac_sha384_ctx *)shash_desc_ctx(desc))
159 
160 static int crypto_hmac_sha384_setkey(struct crypto_shash *tfm,
161 				     const u8 *raw_key, unsigned int keylen)
162 {
163 	hmac_sha384_preparekey(HMAC_SHA384_KEY(tfm), raw_key, keylen);
164 	return 0;
165 }
166 
167 static int crypto_hmac_sha384_init(struct shash_desc *desc)
168 {
169 	hmac_sha384_init(HMAC_SHA384_CTX(desc), HMAC_SHA384_KEY(desc->tfm));
170 	return 0;
171 }
172 
173 static int crypto_hmac_sha384_update(struct shash_desc *desc,
174 				     const u8 *data, unsigned int len)
175 {
176 	hmac_sha384_update(HMAC_SHA384_CTX(desc), data, len);
177 	return 0;
178 }
179 
180 static int crypto_hmac_sha384_final(struct shash_desc *desc, u8 *out)
181 {
182 	hmac_sha384_final(HMAC_SHA384_CTX(desc), out);
183 	return 0;
184 }
185 
186 static int crypto_hmac_sha384_digest(struct shash_desc *desc,
187 				     const u8 *data, unsigned int len,
188 				     u8 *out)
189 {
190 	hmac_sha384(HMAC_SHA384_KEY(desc->tfm), data, len, out);
191 	return 0;
192 }
193 
194 static int crypto_hmac_sha384_export(struct shash_desc *desc, void *out)
195 {
196 	return __crypto_sha512_export(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx, out);
197 }
198 
199 static int crypto_hmac_sha384_import(struct shash_desc *desc, const void *in)
200 {
201 	struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc);
202 
203 	ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate;
204 	return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
205 }
206 
207 /* HMAC-SHA512 */
208 
209 #define HMAC_SHA512_KEY(tfm) ((struct hmac_sha512_key *)crypto_shash_ctx(tfm))
210 #define HMAC_SHA512_CTX(desc) ((struct hmac_sha512_ctx *)shash_desc_ctx(desc))
211 
212 static int crypto_hmac_sha512_setkey(struct crypto_shash *tfm,
213 				     const u8 *raw_key, unsigned int keylen)
214 {
215 	hmac_sha512_preparekey(HMAC_SHA512_KEY(tfm), raw_key, keylen);
216 	return 0;
217 }
218 
219 static int crypto_hmac_sha512_init(struct shash_desc *desc)
220 {
221 	hmac_sha512_init(HMAC_SHA512_CTX(desc), HMAC_SHA512_KEY(desc->tfm));
222 	return 0;
223 }
224 
225 static int crypto_hmac_sha512_update(struct shash_desc *desc,
226 				     const u8 *data, unsigned int len)
227 {
228 	hmac_sha512_update(HMAC_SHA512_CTX(desc), data, len);
229 	return 0;
230 }
231 
232 static int crypto_hmac_sha512_final(struct shash_desc *desc, u8 *out)
233 {
234 	hmac_sha512_final(HMAC_SHA512_CTX(desc), out);
235 	return 0;
236 }
237 
238 static int crypto_hmac_sha512_digest(struct shash_desc *desc,
239 				     const u8 *data, unsigned int len,
240 				     u8 *out)
241 {
242 	hmac_sha512(HMAC_SHA512_KEY(desc->tfm), data, len, out);
243 	return 0;
244 }
245 
246 static int crypto_hmac_sha512_export(struct shash_desc *desc, void *out)
247 {
248 	return __crypto_sha512_export(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx, out);
249 }
250 
251 static int crypto_hmac_sha512_import(struct shash_desc *desc, const void *in)
252 {
253 	struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc);
254 
255 	ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate;
256 	return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
257 }
258 
259 /* Algorithm definitions */
260 
261 static struct shash_alg algs[] = {
262 	{
263 		.base.cra_name		= "sha384",
264 		.base.cra_driver_name	= "sha384-lib",
265 		.base.cra_priority	= 300,
266 		.base.cra_blocksize	= SHA384_BLOCK_SIZE,
267 		.base.cra_module	= THIS_MODULE,
268 		.digestsize		= SHA384_DIGEST_SIZE,
269 		.init			= crypto_sha384_init,
270 		.update			= crypto_sha384_update,
271 		.final			= crypto_sha384_final,
272 		.digest			= crypto_sha384_digest,
273 		.export			= crypto_sha384_export,
274 		.import			= crypto_sha384_import,
275 		.descsize		= sizeof(struct sha384_ctx),
276 		.statesize		= SHA512_SHASH_STATE_SIZE,
277 	},
278 	{
279 		.base.cra_name		= "sha512",
280 		.base.cra_driver_name	= "sha512-lib",
281 		.base.cra_priority	= 300,
282 		.base.cra_blocksize	= SHA512_BLOCK_SIZE,
283 		.base.cra_module	= THIS_MODULE,
284 		.digestsize		= SHA512_DIGEST_SIZE,
285 		.init			= crypto_sha512_init,
286 		.update			= crypto_sha512_update,
287 		.final			= crypto_sha512_final,
288 		.digest			= crypto_sha512_digest,
289 		.export			= crypto_sha512_export,
290 		.import			= crypto_sha512_import,
291 		.descsize		= sizeof(struct sha512_ctx),
292 		.statesize		= SHA512_SHASH_STATE_SIZE,
293 	},
294 	{
295 		.base.cra_name		= "hmac(sha384)",
296 		.base.cra_driver_name	= "hmac-sha384-lib",
297 		.base.cra_priority	= 300,
298 		.base.cra_blocksize	= SHA384_BLOCK_SIZE,
299 		.base.cra_ctxsize	= sizeof(struct hmac_sha384_key),
300 		.base.cra_module	= THIS_MODULE,
301 		.digestsize		= SHA384_DIGEST_SIZE,
302 		.setkey			= crypto_hmac_sha384_setkey,
303 		.init			= crypto_hmac_sha384_init,
304 		.update			= crypto_hmac_sha384_update,
305 		.final			= crypto_hmac_sha384_final,
306 		.digest			= crypto_hmac_sha384_digest,
307 		.export			= crypto_hmac_sha384_export,
308 		.import			= crypto_hmac_sha384_import,
309 		.descsize		= sizeof(struct hmac_sha384_ctx),
310 		.statesize		= SHA512_SHASH_STATE_SIZE,
311 	},
312 	{
313 		.base.cra_name		= "hmac(sha512)",
314 		.base.cra_driver_name	= "hmac-sha512-lib",
315 		.base.cra_priority	= 300,
316 		.base.cra_blocksize	= SHA512_BLOCK_SIZE,
317 		.base.cra_ctxsize	= sizeof(struct hmac_sha512_key),
318 		.base.cra_module	= THIS_MODULE,
319 		.digestsize		= SHA512_DIGEST_SIZE,
320 		.setkey			= crypto_hmac_sha512_setkey,
321 		.init			= crypto_hmac_sha512_init,
322 		.update			= crypto_hmac_sha512_update,
323 		.final			= crypto_hmac_sha512_final,
324 		.digest			= crypto_hmac_sha512_digest,
325 		.export			= crypto_hmac_sha512_export,
326 		.import			= crypto_hmac_sha512_import,
327 		.descsize		= sizeof(struct hmac_sha512_ctx),
328 		.statesize		= SHA512_SHASH_STATE_SIZE,
329 	},
330 };
331 
332 static int __init crypto_sha512_mod_init(void)
333 {
334 	return crypto_register_shashes(algs, ARRAY_SIZE(algs));
335 }
336 module_init(crypto_sha512_mod_init);
337 
338 static void __exit crypto_sha512_mod_exit(void)
339 {
340 	crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
341 }
342 module_exit(crypto_sha512_mod_exit);
343 
344 MODULE_LICENSE("GPL");
345 MODULE_DESCRIPTION("Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512");
346 
347 MODULE_ALIAS_CRYPTO("sha384");
348 MODULE_ALIAS_CRYPTO("sha384-lib");
349 MODULE_ALIAS_CRYPTO("sha512");
350 MODULE_ALIAS_CRYPTO("sha512-lib");
351 MODULE_ALIAS_CRYPTO("hmac(sha384)");
352 MODULE_ALIAS_CRYPTO("hmac-sha384-lib");
353 MODULE_ALIAS_CRYPTO("hmac(sha512)");
354 MODULE_ALIAS_CRYPTO("hmac-sha512-lib");
355